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ABSTRACT 


Various  issues  in  the  design  of  a  transformational  programming  system 
are  discussed;  in  particular  we  study  the  issue  of  passage  from  a 
nonprocedural  problem  specification  to  a  first  executable  solution 
of  that  problem.  Then  scenarios  describing  the  possible  construction 
of  two  nontrivial  problems  -  topological  sorting  and  the  eight  queens 
problem  -  are  given.  Transformations  shown  to  be  of  particular  value 
are:  formal  differentiation,  backtracking  and  recursion  optimization, 
and  elimination  of  nondeterminism. 
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1  .        1MRCC  ACTION 

The  ne  jcr  coal  of  Drogramminc  it  e  t  hoc  o  Log  y  has  always  teen  to  sake 
the  c  r  eg  r  a  rrmi  ng  process  as  systematic  as  possible*  thereby  producing  a 
trcJEKf  k  within  which  prolans  can  easily  oe  written*  aebtgcec, 
irair  Uireci  unoerstood  ana  provec  correct.  To  this  enc  various  tccls 
ana  techniques  have  been  suggested?  such  as  structured  programming  * 
high-level  languages*         aostract         cata-types*       advancec       optimization 

techricuesf    sophisticated    programming    environment*    etc. 


/Ithctch    these    methods    haw 
p  r  c  g  r  a  ii       envelopment 

e 


proved  very  useful  in   speeainc,-up 
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prccran   cevelopment  procesa*  they  still  fall  short  of  urcerstandirc  t h 
essence  of  programming,  which  is  still  viewed  more  as  an    art  than   as 
scierce.    We   still  lack  forma  I  i  za  t  i  en,  let  alone  mechanization*  cf  th 
process  by  which  problem  specifications  are  turned   into   efficient   ar 
correct  programs. 
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Utile  there  are  ooviously  many  ingenious  steps  taken  by  a 
programmer  (or  more  often  jy  an  algorithm  designer)  in  order  to  solve  a 
particular  problem  in  an  efficient  rtarner  (or  to  solve  it  at  all)*  it  is 
nevertheless  quite  obvious  that  most  cf  the  steps  involved  ir  the 
programming  process  are  staniaro  arc  rather  trivial.  In  fact*  several 
stch  steps  can  already  be  performed  by  automatic  optimization 
techniques,  to  which  new  and  more  advanced  methods  are  being  adaed 
c cr t i ru cus  I  y  .  Still,  these  technicues  cover  only  a  small  portion  a1  the 
prccess  cf  program  construction*  and  many  standard  prcgr  aiming 
techniques  are  still  way  out  of  the  reach  of  an  automatic  or 
s  e  it  i  -  ei  t  c  tic  t  i  c  programming  system. 

There  are  at  least  three  major  motivations  for  seeking  better 
urcerstarcirg  of  tne  programming  process.  In  order  of  their  immeciate 
applicability,  they  arsl 


erect 
a  Igc  r 
pc  I  is 
a  tccr 
stanc 
Ick-  I 
v  er  s  i 
recur 
tsirc 
p  roc  e 
prct  I 
can  e 
any 
a  I  cc  r 
f  ami  I 
varic 
reh 
can  b 


(a  ) 

i> 

ith 
tec 
it  r, 
-al 
«  ve 
cr 
s  i  v 
a 
sse 

i  IT  . 

as  i 
fix 

ith 
ies 

LS 

spe 
e    f 


The    ability    to    describe    and    express    complex    algorithms    will       te 

erhanced       if       one       is       able       to       outline    the    way    by    which    these 

ms    nave    been    arrived    at*     rather    than       jjst       describe      the       final 

product.      For    example*     the     tricicy    Oeut  s  ch-Schorr-Wai  t  e    narking 

m     (cf.       CKn,    p.       417])     is    rather    difficult    to      comprehend       as       a 

one      algorithm       (especially      when      given       in       Knutt^s    relatively 

I     style).       However    if    we    cescrioe    this    algorithm    as    an    optinizec 

of       a      depth-first       search      of       the       given       graph*    in    which    the 

e    stacking    mechanism    has    been    mace       explicit       anc      oDtimizec       ty 

vailable      pointer       space       within       each      noae       in       the    list    being 

d,    we       can       immediately       gain      much       greater       insight      into      the 

The    correctness    of     the    algorithm    becomes    quite    obvious*    arc    we 

ly    generalize    it    to    handle    cases    where    each    node      can      point       to 

eu      numoer      of       other       nodes.         Using       such   a     methoa    to    descrite 

its    also      allows       us       to       ouile       *genealogy       trees*       for       varices 

of      algorithms*       to       find    similarities    and    differences    between 

algorithms    having    a    comracr    coal,     and    sometimes    even    to       aiscover 

cific    algorithms    from    more    general    ones.       Treatises    of    this    scrt 

ound    e.g.       in    LLGaRJ*    CScl]    and    CCS]. 


(t)     "I  t  e    ability    to    prove    prccrair    correctness    will    also      be       greatly 
enhanced       if       one       can       formally     trace    the    Drocess    of    converting    a    given 
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rather  than  just  te 
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Uricts    classes    of    program    transformations       have       oeen      studiec       so 
far.  They       incluae:  the       f ol d i ng /unf o Ldin g    technique    of    Eurstall    ard 

Ccrlirctcr    for       recursive      orograrcs       CriO];         various       recursion       rercoval 
scheires       LWSJt  refinement       via       abstract       data-type      definitions    tela  I  ? 
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autcitatic  selection  of  data  strictures  L3S3J*  ELoZ  anc  ferial 
c  i  1  f  €  r  e  r  t  i  a  t  i  on  of  s et -t heor et i c  expressions  CPaJ.  This  Last  cechricue 
deserves  more  com.nent  as  it  turns  out  to  olay  a  central  role  ir  the 
ccrstrtcticn  of  the  algorihms  that  we  shall  consider  in  this  caper. 
This  technique  aoplies  in  cases  where  a  complicated  and  expensive 
s e t - t r € c r g t i c  expression  is  reoeatecly  computed  within  a  program  Iccp  in 
which  the  arguments  of  that  expression  change  only  slightly.  It  is  then 
often  possible  to  replace  these  repeated  computations  oy  much  cheaper 
ircrenertal  computations  which  can  oe  used  to  upcate  the  value  of  the 
origiral  expression.  This  technique  turns  out  to  be  an  extreiiely 
powerful  algorithm  transformation  which  can  improve  algorithm  efficiency 
p>  crcers  of  magnituce*  as  shewn  in  CPa]  and  3S  wilt  te  cemon s t r a  tec 
below.  various  aspects  and  apolications  of  this  technique  are  studied 
ir  c  ccirpanion  paper  L~Sh].  Use  cf  program  transformations  in  program 
verification  can  oe  found  in  CScl]  and  is  also  oeing  studied  in  CDeaJ. 


t  ran 
Sect 
p  re  c 
exec 
i  nvo 
s  tar 
i  ncr 
*  c  c 
ccrs 
eye  I 
tech 
I  n  o 
d  r  o  c 
w  h  i  c 
of  a 


In 
s  1  cr  m 
i  en  2 
ess 
l  tabl 
Iv  i  ng 
care 
enert 
r  s  i  s  t 
i  ce  r  s 
e  s  an 
ricue 
oth  s 
ess 
h  are 
ppl  ic 


this 

a  t  i  o 
wi  t 

-  r  3 

e  ve 
se 

c  ens 

ally 
cf 
th 

a  th 
CKn 

ec  t  i 

3  S 

s  ti 
abil 


pape 
nal  c 
I  disc 
rre  I  y  t 
r s  i  on. 
t-theo 
t rue  t  i 
by  ad 
case 
e  oro 
e  rela 
»  P  • 
ons  an 
much 
tl  rat 
ity. 


r  w 
ons  t 
uss 
he  c 
We 
rati 
on  m 
ding 

s  t  u 
blem 
t  ion 
258: 

att 
as 
her 


e  w  i 
ru  ct  i 
met  ho 
on  ver 
Mil 
c  oo 
et  hod 

one 

c  i  ss 

of 

of    t 
.       Si 
em  at 
pess  i 
he  ur  i 


LI  s 
on  o 
ds  to 
t  ion 
I  f  o 
}  ec  t  s 

for 
(  or    f 

of 

test 
his  p 
c  t  ion 
is  be 
ble, 
stic) 


tuc  > 

f       P 

ace 

o  1    a 

Cb  s 

an 
such 
eu) 

t  DC 

ire 
r  co  I 

4    c 
in  c 
arc 
w  h  i 


var  i  o 
rograiTS 
oijd  I  i  sh 
static 
our      at 
d       i  n  we  s 
oo  ject s 
ele  ment  s 
non tr  i  v 
a    given 
am    to    Kn 
ea Is    wit 
made    to 

to  note 
ch  are  I 


us 

fro 
the 
sp  ec 
tent 
tiga 
•  na 

at 
ial 

gr  a 
uth» 
h  th 
sys  t 

com 
ikel 


issues 
m  t  he  ir 
Ti  rs  t  s 
i  f  i  cat  i 

ion  on 
te  in 
me  Ly  to 
a  t  i  me. 
prob  Le 
ph  for 
s  topo 
e  ei  ght 
ema t  ize 
non  tec 
y  t  o  ha 


invo  L v 

specific 

t  ep   in 

on  to  an 

spec  i  f i 

some   c  e 

const ru  c 

Sect  i  on 

ms .    Sec 

the  exist 

Logi  cal 

cueens  p 

the  tier 

hniques  ( 

ve  a  broa 


e  c  in 
a  t  i  o  n  s  ■ 

such  a 
initial 
ca t  i  crs 
tail  a 
t  them 
s  3  and 
t  ion  3 
e  rce  c  f 
sorting 
rcbleu. 
i  va  t  ion 
iics  t  el 
c  ranee 


CN  IMPLEMENTATION  OF  NONPROCEDURAL  OR     'ONE-STEP'  SPECIFICATIONS 


^s  ore  of  the  initial  steps  toward  the  design  of  a  t ransf orma t iora L 
programming  system*  this  section  will  consider  seme  of  the  issues 
irvclvec  ir  'implementation*  of  r, crprccecuraL»  or  'one- step'  algorithm 
specification. 

Ve  ervisage  a  system  ante  to  accept  the  'base-form'  cf  algorithms 
in  the  term  of  a  very  high-lewel  soec  i  f  i  ca  t  i  on.  In  irest  cases  such 
specifications  will  i  jnore  control-flow  details*  and  consist  scLely  cf 
i r c l t- c l t p i t  relationships*  i.e.  will  state  assumptions  concerninc  the 
input  to  the  algorithm*  and  will  ther  soecify  the  required  properties  of 
the  cutpi.t  oeject(s)  in  some  form  cf  precicate  logic.  Typical  exanples 
(vritier  ir  a  \jery  tentative  so  e  c  i  f  i  cat  i  en  language?  see  belcw  fcr 
details)  are : 
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( 1 )     sc  r  t 


assume     fi     :     tupl  e  (  in  te  je  r )     1     ...    MI 
N     :     integer; 

n  >  o? 

fine  F  :  permutation^)  sc 

(foralL  I  in  Q  ...  N-l}  :  4(P(I>)  <=  A(P(I  +  D)  ) 


(2)     Find    all    prime    numoers    Less     than    some    given    numoer: 

assue    N     :    integer;    N    >    05 
fine    5     :    suoset     {1    ...     M>     st 

(  f  c  r  a  1 1    X    in    {1    ...    M >     :    X     in    S    iff 

(forall  Y  in  £     2  ...  X-ll  :  not  divides(Y»  X))) 


(2)  Find  the  transitive  closure  of  a  set  under  a  relation: 

csstite  E  :  set;   R  :  map(elnt  E)  e  I  it  t  E;   SO  :  suDset  ES 
fine  S  :  subset  E  st 

SG  subset  3  anc  (forall  X  ir.  3  :  R{X}  subset  3)  enc 

it  in  (S  »  inclusion); 


(4)  Strirc  pattern  matching: 

asstite   T  :  string;  ?     :  strirc? 
fine  I  :  integer  st 

(forall  J  in  C I  ...  3  PI  :  P(J) 


=  TCI+J)  ) 


£s  car  de  noted  from  such  examcles*  these  specifications  have  the 
follcwing  general  structure:  Incut  assumptions  tend  to  resemole 
Ceta- type  c ec  larat i ons »  and  also  include  certain  r e L a t i or s h ips  between 
input  objects.  Output  requireirerts  ask  for  commutation  of  a  certain 
object  which  must  satisfy  a  rather  involved  predicate*  usually  invclvir. g 
cuant if icaticrs  over  sets  or  tuples. 


Let  us  assume  tor  the  time  oeing  that 
sich  a  term.  Various  issues  then  aris 
ncticr  cf  correctness  should  such  a  specif 
nontrivial  proolem  especially  because 
atreacy  teen  involved  in  formulatirc  the  p 
before  the  programmer  in  a  different*  Less 
stctenert.  Temporarily  we  will  icrcre  thi 
specification  itself  is  the  original  ve 
and  is  therefore  'correct'  a  priori.  fliy 
specification  by  applying  a  sequen 
transformations  will  therefore  also  be  cor 
be  very  useful  for  such  specifications  t 
sc  as  tc  strengthen  the  oelief  of  the  prog 
this  base  form  of  the  algorithm.   3ee  CDS] 


our  initial  specification  has 
e.  For  exarcple*  what  (if  ary) 
ication  possess?  This  is  a 
some  programming  effort  has 
rogramming  task  (initially  set 

format  form)  as  such  a  formal 
s  issue*  and  assume  that  the 
rsion  of  the  programming  task* 

version  ootaineo  from  this 
ce  of  co r rect re ss-pr e s er v ir g 
rect.  (Nevertheless  it  will 
0  be  executable  as  they  stare* 
rammer  in  the  *  correctness'  cf 

for  related  comments.) 
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hcht  vtr  the  main  isauo  concerrinc  stch  specifications*  is  hew  to 
ccrvert  them  into  procedural  form.  I.e.i  given  such  a  sDecif  icat  icr>  we 
woula  Like  to  construct  from  it»  as  ire  cha  n  i  ca  I L  y  as  possible*  3  iters 
etficiert  procedural  oroc,r3m  that  a  ceo  ito  I  i  s  hes  the  task  implied  by  the 
specification*  which  coulj  then  oe  further  improved  by  successive 
t  rars  Icriictions.  While  we  certainly  cannot  fulfill  this  goal  in  all 
cases*  we  can  hope  that  systematic  study  of  commonly  occuring  patterrs 
will  enable  us  to  generate  'default'  programs  aut oua tic  a  1 1 y  1or  a 
r;£scracly  wice  class  of  specifications. 

Assume  that  the  specification  to  oe  considered  is  given  in  a  form 

csstne  G(Ai*  A2  ...  An)? 
fine  X  st  P  ( X  *  Al  ...  An)5 

where  M  ...  An  are  the  inout  objects  of  the  problem*  where  G  is  a 
preciccts  cescrioing  the  inout  assumptions*  where  X  is  the  rectireo 
output  ooject*  and  where  ?  is  a  predicate  describing  the  properties  that 
X  shctlc  satisfy.  In  what  fellows  we  will  usually  not  state  the 
» as st» ire'  part  of  the  soecification  explicitly*  but  imagine  it  to  be 
given  implicitly. 

Two  syntactic  extensions  to  the  'find'  oart  of  such  spec i f i c a t icrs 
suggest  themselves.  First*  let  us  assume  that  X  is  qualified  (by 
cere  it iens  constituting  part  of  P  )  as  having  a  certain  (parareetrizec) 
•  ca t a- t y ce * »  whose  purpose  is  to  indicate  a  default  search  space  for  X* 
which  shctlc  Ce  either  finite  or  at  wcrst  enurcerable.  Such  a  cata-type 
shcttc  ce  either  absolute  (involving  no  parameters)*  or  else 
pa  rairet  r  i  zed  in  terms  of  inout  oajects  only.  We  propose  to  denote  that 
part  ct  f  in  a  form  resembling  ccrventional  oata-type  declarations*  and 
thus  prcpose  to  write  our  specification  in  the  form 


fire  X 


type  s t  P(X) ; 


Typical  type  declarations  are: 

irtecer 

e  I  m  t  A 

sutset  E 

nap  (elmt  E)  elmt  F 

periTUtation  ( N  > 

tuple  (elmt  E)  1  ...  N 

Euilt-in  knowledge  of  such  tynes  (ard  also  of  more  general  abstract  cata 
types)  wotld  oe  a  very  important  aspect  cf  a  system  like  that  which  we 
ervisace.  These  additional  types  tiicht  induce  trees*  orcer  relaticrs* 
cne-one  maps>  partitions*  oermu t at i ons *  polynomials  and  other  typical 
abstract  types.  This  library  cf  cata  types  should  of  course  te 
extersitle  (as  most  of  the  features  of  our  prooosed  system  shoulc  be)* 
so  as  to  allow  the  user  to  add  his  awn  favorite  data  types  to  the 
s  >  s  t  e  it  . 


The  next  extension  that  we  consider  is  aopropriate  for  proolems   in 
which   cne  coes  not  just  se.jk  any  X  satisfying  a  certain  property  F*  tut 
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instead    warts 

s  a  t  i  s  1  y  i  n  c       ? 

the  f reciccte 

rest   o  t   the 

specification. 

the   ccmair  of  some  partial  order  relation  'ord'*  which*  for  simplicity* 

we  assume  to  oelong   to   some   fixec   class   ot   freauently   used   crcer 

rela tiers  t  including  e.g. 


the   smallest   (largest*   shortest*   minimal   etc.    )   X 

In  such  cases  it  is  very  useful  to  separate  the  part  c  1 

which  soecifies  the  'extremum  conaition'  involvea  f  r  c  it  the 

predicate*   in   oraer   to  improve  the  succinctness  of  the 


To  co  so»  let  us  assume  that  the  search  space  for 


is 


(a)  integers  in  their  usual  order* 

ft)  strircs  in  lexicographical  arccfi 

(c)  subsets  of  some  aiven  set  in  inclusion  order* 

(c)  tuples  or  maps  whose  ranj?     is  some  partially  ordered  set  in 

pcirtwise  oraer  * 

tuples  whose  range  is  partially  ordered  in  lexicographical  order. 


(e) 

1 r  e  r  we 


car  use  the  notation 


f  i  nd  X 


type  st  PCX)  and  EXT(X) 


where    tXTO)     is    an    'extremum      condition' 
conaition    miiht     typically    have    a     form 


that 


must   satisfy 


This 


irax  (F  (X)  ,  ord) 

to  indicate  that  we  want  an  X  for  which  the  expression  F(X)  is  maximal 
ir  the  crcer  'ord'.  Of  course  insteac  of  'max'  we  could  also  use  fftin*» 
•largest*,  'smallest'  etc.  ^itn  cbvicus  meanings.  This  notation  is 
suggested  here  only  for  syntactic  convenience  and  has  little  impact  en 
the  t rars tcrmat ions  stucied  in  this  paper.  See  however  [Shi  for  fcnral 
transformation  rules  which  can  realize  such  extremum  requirements  in 
scire  iirpcrtant  special  cases. 

Assume  that  we  are  given  a  specification  in  such  a  form.  Its 
realizaticr  (i.e.  construction  cf  a  prcceaural  program  to  compute  the 
required  object)  will  depend  on  the  data  type  'type'  of  X  ana  en  the 
preaicate  P(X).  To  understand  the  force  or  this  rercark,  we  first 
ccrsicer  a  few  simple  cases  where  F(X)  has  a  structure  which  can  be 
trans  lateu  into  procedural  form  easily. 


£ssune  first  that  PCX)  has     the  term  X  R  A,  where  A 
expression  (that  is,  depends  only  on  input  oojects)  ane 


is  some  cors tart 
R  is  a  relaticr. 


(a)  if  F  is  an  equality,  then  this  task  can  ae  easily  realized 


cy     •> 


(b)     If    R    is    set     mempershio*    realize    the    task    oy     'X 
art*    cerotes    r.ondeterministic    selecticn    from    A. 


;=   a  rb  * 


where 


(c)  In  general*  X  R  A  may  be  realized  by  'x  :=  aro*  {Y  :  Y 
(Fere  ere  shcula  generally  use  the  cata-type  ceclaration  for  X 
cualify  the  set  aooearing  in  the  above  selection.) 


R  I}*. 

3  I SC  *   to 
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4  s  s  l  n  e  next  that  PCX)  narf  a  1  c  r  t  in  *  n  i  c  h  X  is  not  isoLatec  from 
the  input  oojects  in  an  obvious  Tanner.  £.g«  Let  P(X)  be  'X  -  T  { ;< )  *  . 
In  general  this  case  is  substantially  harder  thin  the  cases  cunsicerec 
ctcvti  arc  often  there  wilt  ae  little  that  cm  ae  cone  au  toira  t  i  c  a  I  ly . 
There  are  however  several  possible  courses  of  action  which  wilt  be 
relplLl  ir  soscial  cases: 

(c.l)  The  system  could  prone  t  the  user  to  re-express  P(X)  in  a  fern  in 
which  X  is  isolated.  Tn  is  isolation  can  be  accomplished  either  ir  a 
full)  irarLal  manneri  or  °ls?  ay  suggesting  some  kina  cf  s  imp  I  i  f  i  ca  t  i  en 
tc  the  system. 

(  c  .  2  ]  If  tte  search  aims  to  attain  s  c  it  e  extremum  concition»  it  might  fce 
realise  using  successive  approximation  techniques.  pixed  ccirt 
proolems  in  well-founded  sets  can  often  oe  solved  in  this  manner. 

f^ext  assume  P(X)  to  be  a  con  jtrction  of  the  form  '(MX)  and  R  (  X  )  •  . 
In  this  case  there  ar^    several  possibilities: 

(e.l)  G(X)  and  R(  X )  may  be  inceaercenti  i.e.  to  realize  the  conjunction 
it  is  sufficient  to  realize  each  conjunct  i ndeoendent  ly  by  procedures 
that  cc  net  conflict  with  each  otheri  anc  then  comcine  their  outputs  in 
a  1ix«c  predetermined  manner.   For  examolet  to  realize 


find    X 


set       stAinXandEinXj 


ere  car  sinr-ly  satisfy  »x  :  set*  by  assigning  any  set  to  X»  ther  to 
realize  *t       in  x»  Dy  'X  ^  i  t  h  :=  *'*  and  similarly  realize  »a  in  X*  by  *X 

with::  E  •  . 

Likewise*     to    realize 

fire    X     :    tuple       st    XCI)    =    A    arc    X(2)    =    3 

we    car    assign    any    tuple    to    X»    and    then    set    X(l)     :=    Ai       X(2)     :-    dj 

(e.2)  It  rray  be  possiole  to  simplify  »J(X)  anc  H(X)»  into  a  fori?  in 
which  the  conjunction  does  not  appear  explicitly.  This  will  usually 
make    F(X)    easier     to    handle.       For    example  i    we    can    simplify 

fine  X    st    X  in    A    ana    X     in    2 
i  r  t  c 

find  X    st     X  in    A     *    <1 . 

Similarly*  we    can  simplify 

fire  XstX>A    anc    X>3 
into 

fine  X     st     X  >    max ( A ♦     a) 
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e  tc  . 

(e.3)  If  rcne  of  the  aoove  rules  3pply»  we  can 
which  will  choose  one  of  the  ccrjurcts*  say 
precicate*  i.e.   will  try  3ctiv/elv  to  realize 


use  a  general  strategy 
Q(X),  as  ar  'oper a t icria  I  * 
it»   and   use   the   ether 


conjunct  a  ( X  >  as  a 
HetristiCclLy  we  can 
F  ( X  )  «  .   Fcr  example* 


test  tj  restrict  the 
say  tha  t  we  wart  to 

the  task 


fire  X  st  X  in  E  and  F(X)  )  C 
is  sclved  by 

X  :-  arc*  {  U  in  E  st  F ( W )  J  C> 


possiole  realizations  of  G(X). 
•realize   G(X)   provicec   that 


l       sirrilar 
s  c  t  p  r  ec  i  c  a  t  es  • 


treatment   can   be   used   to   hancLc 


c  i  s  junct  i  or 


cf 


These  few  examoles  concerning  realization  of  given  specifications 
have  fceer  given  here  enly  as  a  prologue  to  the  main  issue  tc  te 
aiscussea  in  this  section*  namely  -  incremental  corstruction  of 
ecrrpesite  ccjects  from  their  giver  specification.  In  spite  of  this*  a 
ncre  ccrtprehensive  study  of  ways  tc  realize  general  specificaticr.s  is 
certainly  called  for. 


This  last  approach  (e.j)  to  ccn junction  has   immeaiate 
in  the  realization  of  tasks  having  the  general  form 


applicaticn 


fire  X 


type   st  F(X); 


So  f 
i  r 

spec 
oper 
tcs  t 
be  i  n 
belo 
appr 
t  ype 
will 
give 
a  s 
that 


ar    we 

ctrer 

i  f  i  c  a 

a  t  i  en 

cere 

S  5en 
ng  to 
cp  r  ia 
s  in 

era 

r  s  p  e 

equen 

vers 


hav 
a  I 

t  i  en 
al 
ra  I 
era  t 

a  r 
te  Ly 
a  mo 
ble 
cif  i 
ce  o 
icn 


e  lg 
it 

pre 
con  j 
way  , 
ed  . 
elat 
st 
re  s 

our 
cat  i 

f  CO 

t  ill 


nore 

must 

di  ca 

unc  t 

us  i 

Sin 

ivel 

udy 

y  ste 

sy 

on  t 

rr  ec 

sat 


d  th 
be 
te. 
i  n 
ng  F 
ce  t 
y  sm 
gene 
ma  t  i 
st  em 
wh  ic 
tnes 
is  fa 


e  data-t 

t  reat  e 

In  most 

case  ( e  • 

(X)  as  a 

he  data 

all  fami 

r a  I  sch  e 

c  manner 

to   ob 

h  s  hou  Ic 

s  pr eser 

c tor y  e  f 


ype 
c   a 
cas 
3)  * 

res 

type 

Ly 
nes 

tha 
tain 

the 
v  inq 
f  i  ci 


par t  of 
s  an  a 
es  t  this 
and  will 
tr  i  c  t  i  v  e 
s  likely 
of  coram 
to  real  i 
n  o  t her 

an  in  i  t 
n  je  sub 

t r ans  f o 
enc  y  is 


such  a 
cci  t  i  ona 
Mill 
t  her ef o 
c one i  t  i 
t  o  be  s 
on  ly   us 
z  e  o  o  j  e  c 
pr edicat 
ia  I  pro  c 
jec  t  to 
rma t  i  ons 
obtained 


speci 
I  ce 
De  c 
re  be 
on  o 
pec  i  f 
ea  t 
t s  ha 
es. 
ecur  s 
a  pre 
will 


"f  i  cat  i  on 
n  j  unc  t 
hosen   a 

real i  z  e 
n  the 
iec!  will 
ypes  i  >.. 
v  ing  sue 
Such  a 
I  vers  i  o 
cess  in 

be  appl 


»  out 
cf  the 
s  the 
d  in  a 
ct  jec  t 

c  f  ten 
e  can 
h  ca  1 3 

study 
r  o  1  a 

which 
i  ed  to 


Ue  ncte  that  in  many  orogr ammi ng  tasks  the  object(s)  being  sought 
are  cenpesite.  A  program  whose  task  is  tc  compute  an  integer  is  either 
relatively  trivial*  or  else  irvclves  a  rather  highly  invertive 
arguments.  A  more  tractaole  programming  task  would  oe  to  construct  a 
certair  set*  List*  table  etc.   of  ocjectst  having  certair  properties. 

A  key  method  for  construction  of  a  comoosite  object  is  to  ouild  it 
ircr«Tertally,  by  starting  with  scne  initial  (usually  empty)  value*  ard 
then  by  accing  elements  one  at  a  tine,  .-<hile  retaining  the  validity  cf 
the   predicate   P  (X  )   defining   X  ior    oerhaps  while  aimirg  to  rrake  P(X) 


PAGE    10 


true).  We  will  r?ier  to  such  J  netiioj  33  'growth  of  dorcairs  cf 
valicity'.  [n       such       cases       the       elements       of    x    will    often    oe    selected 

rcrcetermiristicaily  frou  some  darcain  and  the  validity  of  P(X)  will  te 
testec  each       time      X       is      augmented.  This       schema       leacs       itself       to 

application    of    formal    differentiation    of       the       predicate      P(X).  F era a  I 

c i f f e r e r t i a t i en  enaoles  u;  to  replace  repeated  evaluations  of  POO 
(likely        tc      be       very       costly)       ay       evaluations       of  'incremental'         or 

'cerhctive  •  predicates  whicn  will  often  te  much  more  efficient  to 
evaluate. 

We       thus       want       to       collect       recipes       which       realize       a  'partial* 

specification    of    the    form 

(*)  Tind    X     :     type    st       <    condition    > 

where  'type'  denotes  a  composite  cata-type*  where  the  (condition^  is 
left  unspecifiedi  and  where  we  aim  at  an  incremental  construction  of  X. 
we    cecir     with    the    following    typical    cases: 

(  1  )  line     X     :    suosei     E 

This  car,  ce  realized  as 

X  :=  o; 

( v.  h  i  I  e  arb*  (true»  false}) 

I  :=   arb*  (£  -  x ) ; 

x  w  i  t  h  :  =  u ; 
ere  while? 


REMARK  1:  This  orogram  is  in  fact  more  general  than  its  speci f i cat  ion » 
ir  the  sense  that  it  allows  elenents  to  ae  aacefl  to  X  in  any  possible 
crceri  which  will  create  some  recurcancy  among  the  resulting  subsets. 
In  fact  the  numoer  of  possiale  ways  of  executing  this  program  is  rcughly 
«  *  (UE)!i  compared  with  :he  2**(fc£)  possible  subsets.  Nevertheless  it 
is  important  to  allow  this  redundancy*  because  often  final  algorithm 
eiUclenC)  may  greatly  deoend  on  the  order  in  which  elements  are  accec 
tc  >.  we  want  to  allow  considerable  recundancy  initially*  and  tc  prune 
the  search  space  later. 


FEMFH  2'.       Note  that 


1  n 


he  prececinc  schema  the  preaicate  'arb*   {true* 


false}'   plays   two   roles.    To   see   this»   assume  that  the  qualifying 
precicate  F(X)  is  given*  so  that  we  want  to  realize 


(  *  ) 


find  X 


suoset  E  st 


(X) 


Then  exactly  the  same  program  coulc  be  used*  except  that  the  while 
heacer  should  oe  replaceo  by 

(while  not  P(X) ) 

With  this  charge  our  coce  will  net  find  the  most  general  subset  cf  E 
satisfying  P  (in  fact  it  will  yield  only  some  sequentially  minimal  such 
subset).  This  is  quite  all  right*  lor  the  specification  as  statec  cid 
not   require   us   to   compute   all  such  suPsets.   However*  if  we  wart  to 
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r  e  c  a  r  c  (♦)  as  a  partial  specification  to  which  accitional  constrcirts 
ir  i  c  h  t  te  accec  Later  on  i  then  we  shcula  use  the  following  while  heacer: 

(while  not  3(X)  or  ar.:>*  C:rue»  false}) 
This  »cula  correspond  to  the  following  specification 

fire  X  :  suoset  E  st  PCX)  anc  1 

where  7  denotes  an  un define  a  precicate. 

TMs  ircicates  that  the  credicate  'aro*  (true»  false}'  can  serve  both  as 
a  default  value  for  a  yet  unsuoplied  predicate*  and  as  a  syntactic 
rtarkfr  in  a  specification  pattern  cencting  such  an  unknown  precicate. 
In  what  follows  we  will  use  the  notation  ?   for  ooth  purposes. 

k  €  rev  pass  to  the  examination  of  a  second  i report  ant  pattern* 
r  ane  l> 

U)    fire  x  :  tupleCelmt  E)   st  1 

This  can    be  implemented  using  the  scheme 

x  :-  c  ] ; 

(while  not  ?) 

I  :  -    a  r  o  *  Zi 

>  with :=  u; 

end  while; 

here  there  is  no  redundancy  since  the  specification  reciires  that  a 
linear  augmentation  oe  produced. 

^et  arcther  specification  of  irterest  is 

(Z)    fine  X  :  mao(elmt  £)  el  Tit  F   st  ? 

II  we  allow  maps  to  oe  only  partially  aefinec*  then  construction  of  such 
>  car  be  viewed  as  a  generalization  of  the  subset  case*  and  so  car  be 
realized  oy  the  following  scheme: 

x  :-  o ; 

(while  not  ?) 

U  :=  arb*  ( I  -domain  X)5 

v  :  =  arb*  f  ; 

x(U)  :=  v ; 
e  rd  while? 

here*  as  ir  the  case  in  which  we  *art  to  construct  a  suoset*  the  crcer 
o(  selection  of  the  domain  elements  of  x  is  explicit  in  our  scheae* 
leacirc  tc  a  recuncancy  alreacy  nctec. 

To  see  how  such  specification  patterns  ar?  to  oe  used  in  more 
specific  contexts.  consicer  the  case  where  new  data  types  are  tc  te 
defirec  in  terms  of  already  existing  cdta  types  (broacen  applications  to 
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the    solution   o'   Larger   problens   are   e  x  h  i  c  i  t  e  c   in   the 
sect icrs)  .   ccr  example* 


f  o I lew  ire 


(  ft )  Ic t  a  L  naps  : 

fina  X  :  m  a  3  (  e  I  m  t  £  )  e  I  m  t 


s  t  doma  in  X  -    Z    and  ? 


Isirc  the  scheme  ( 3  )  to   realize   c  t  r  e  r  a  I   map   construction*   we   w  o  u  I  a 

c  b  t  a  i  r 

X  :=  O  ; 

(while  contain  X  /=  £  or  not  1) 
U  :-  arb*  (E  -  domain  X)? 

V  : =  arb *  F  ; 
> (i  >  :=  v  ; 

end  while; 

which  can  then  function  as  a  starcara  scheme  to  realize  everywhere 
c  e  f  i  r  e  c  itios  in  a  most  g?n?ral  it  a  n  n  e  r  •  Further  specifications  ct  the 
form 

fine  >  :  tota  tmap(eU  t  £)  eUt  F   st  P(X) 

can  then  oe  imolemenced  using  the  preceding  scheme  with   P  (X )   replacing 

1  . 

(5)    Cre-one    (and    total)     maps: 

cssuire    E     :    set;    F    :    set; 

fina    X     :    t o ta Imap (elrct     E)     e  I  a t    F       st 

(forall    C a,    CJ    in    X*    CEi    C  ]    in    X    :     A    -    E       or      C    /-    0)    arc    ? 

Using    the     last    scheme*     we    oocain 

x  :-    {} ; 

(while  domain  X  /-    L    or 

(exists  [A,  CJ  in  X.  CE»  0]  in  X  st  A  /=  d  arc  C  =  C) 
or  not  ?) 
U  '.-    arb*  ( £  -  domain  X); 

V  :-  aro*  f; 
> (U )  :=  v  ; 

end  while? 


This  version*  however*  requires  several  t ransf or  mat icrs  to  reach  a 
rtcre  acceptable  standard  form.  The  main  transformation  is  to  formally 
c  i  1  f  e  r  e  r  t  ia  t  e  the  predicate  '(exists  «..)•  appearing  in  the  while 
heactr,  which  will  be  denotec  as  G(X).  This  predicate  has  a  special 
property  cf  ' monotoni ci ty *  with  respect  to  the  changes  of  X  within  the 
IccPi  i.e.  whenever  G(X)  is  true  for  some  value  of  X*  it  will  reiicin 
true  fcr  all  suDsequent  values  of  X.  If  the  program  is  to  terninate* 
then  G(X)  shoulc  be  kept  false  at  all  times,  and  we  hac  tetter  fail  as 
sccr.  as  G  tecomes  true. 
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To  achieve  this  effect  we  move  the  negation  of  3(X)  tc  the  era  cf 
the  Iccc  (checking  thac  it  is  initially  false)*  a  n  c  making  it  into  an 
assertion.      This    would    yield 

>  :=  {} ; 

(while  comain  X    /-    i    or    not  : ) 
L  :-  aro*  (I  -  domain  X>; 
\  :  =  arD*  F  ; 
xu)  :-  v ; 

assert  (for  all  [  3(  C]  in  X»  C3»  CJ  in  X 
ere  while! 


A  =  E  or  C  /  =  C) 


Next  we  formally  differentiate  the  new  aredicate i  using  the  property 
that  c i 1 t t r en t i a t ing  an  expression  cf  the  form 

assert  (  f oral  I  bJ  :  P)  5 

encurts  to  asserting  the  ai f f eren t i a t e c  cuancifier.  This  yielas 

>  :=  {}  ; 

(while  comain  X  /=  E  or    not  ?) 

I  :=  aro*  { E  -  domain  X)5 

V  : =  aro*  F ; 

assert     (f  oral  I    CA,     Cj*     in    X     :    A    =    U     or    C    /-    \l )  ; 

x<u>  :=  v; 

ere  while? 

Next  we  car  manipulate  the  resulting  predicate*  first  by  noting  that  J  - 
I  is  1alS6i  ana  then  by  moving  V  'oit  '  of  the  forall  cencition  to  cctain 
the  frecicate 


i  .  e 


assert   V  notin  C  C  :  CA,  CJ  in  X>! 


assert   V  notin  range  X5 


This  will  yielc  a  reasonable  'oase-1crm»  construction  for  cne-one   uacsi 
as  t c  1 1  cws  : 

x  :-  {> ; 

(while    comain    X    / -    E    or    not    1) 
U    :=    arb*    (.Z     -    domain    X)5 
\i     :=■    arb*     ( F    -    range    X)  5 

> (u )    :-  v  ; 

ena    while? 


which    cculc    then    be    enterec    as    the    cefault    scheme    for    the    new    cata       type 
'  ere  crerrap  '  . 

(,)     E rurc e r a t i en r       Sunpose    that    we    next    want    to    define    an    erumeraticn       cf 
a     set    as     IclLcws: 

fina    X     :    oneonemap(elmt     E)    elmt     -Cl     ...     1    E>       st     ? 


f;c-e  14 


Usinc  the  last  scheme  we  octain 

>    :=   O  ; 

(white    coTiain    X     /=    E    or    not     ?) 
I     :=    arc*    (E    -    comain    X); 
\i     :-    arc*    ({1    ...    '4    E>    -    range    X); 

xcu)    :=   v; 
ere    v  h i  L  s  » 


We  can  improve  this  version  in  several  ways.  The  one  that  seems  to 
t  e  the  nest  natural  is  as  follows:  The  original  map  construction  scheite 
(2)  ccrtairs  a  redundancy  in  the  sense  that  Doth  dorrain  and  rarce 
elements  of  x  are  selected  nondeterministically.  To  ao  o  e  1 1  e  r  »  we  ccula 
r  c  t  e  that  the  values  selectee  fcr  V  are  always  cistinct  f  r  c  it  ere 
another*  so  that  we  can  simoly  iterate  over  the  range  of  V  (noting  that 
its  siis  is  the  same  as  tne  nurooer  cf  iteretiens  of  the  original  lcop)» 
ere  crly  select  the  next  element  of  E  nondet e rmi n i s t i cat  I y . 


Steov«ise  d 
Fcrirally   c  i  f  f  erent  ia  te   tl 
selectec)i  ana  call  it  MORE! 
t  c  c  t  t  a  in 


ri  va  t  i  on      of 

U 


this       improvement 

ft       E>  range 


might       be       as 
X       ( from 


also     interchange    the    selection 


f  c  I  lews : 
which  v  is 
of    U    ana    V 


x     :=    o  ; 

f  CRE    :=   C  l    .. 
(white    coma  in 

V    :-    arb* 

U     :  =    arb  * 

xu  )    :=  v; 
more   iess:=  v  ; 

erd    wh  i  le  ; 


»    E3  ; 
X    /-    E 

more; 

( E    -    ao.ua  in 


or    not    1 ) 

x ); 


Since  we  know  (from  the  original  scheue  (3))  that  one  of  the  selections 
of  L  ana  \J  can  oe  made  deterministic  (but  aroitrary)  »  we  convert  the 
selection  cf  V  into  a  deterministic  •  3  r  D  »  »  to  obtain  a  reascrafcle 
base-fcrm    construction    scheme    for    ar    enumeration. 


It     is    also    possible    to    choose    the    artitrary    way    in    which    v     is 
selectee*     to    be    the    natural    linear    crcer    of     integers.       This    choice 


for 


an 


aroitrary      construction 


of 


to  te 
ni  ch  t 
an 


not  oe  generally  suitable 
eriirc  rat  icr  (  but  in  most  cases  will  yield  the  aesirec  way  in  which  X 
shculc  grow.  To  this  end*  we  convert  the  statement  *V  :=  arb  MORE'  into 
'V  :  =  itiry  MCRE'.  Moreover)  we  ncte  that  one  always  has  the  equality  V 
=  ft  )  +  1.  Hence  we  can  eliminate  the  use  of  MORE  altogether*  and  cciie 
up    with     the    following    version: 


X    :=   O  ; 

(while    domain    X    /=    E 
I     :-    arb*    E    st    U 

>  (u )    :=   ti   x    ♦    i ; 

end    while? 


or    not  ? ) 
notin  ccnain  x; 

S  (evaluated  r igh t-t o- lef t ) 


n     EX/ifPLE:   TESTING  A    GRAPH  POP  EXISTENCE  OF  CYCLES 


F£€c  n 


In  this  section  we  describe  a  pcssiole  construction  via  prccrari 
trarsicrrraticr  of  a  program  which  tests  a  given  airectec  graph  fcr 
existerce  cf  cycUsi  from  the  high  Level  s Dec i T i ca t i on  suggested  cy 
[ever  et  a  I  ir  toe]. 

v  E  F  S  1 C  fi  l:   Let  G  be  a  given  jirectec  grash.   That  isi  J   is   a   set   cf 

orcerec   oairs  (edges).   We  are  to  test  whether  G  contains  a  cycle*   In 

ether  wcrcsj  we  want  to  check  whether  there  e  x  i  s  c  s  a  (nonempty)  siCset  S 

cf  3  havirc  the  property 

doreU  X  in  S  :  (exists  Y  ir  S  st  X(2)  -  YU)  )  ) 

This  can  essentially  oe  put  as  the  following  specification: 

find  S  :  subset  3  st  3  /=  O  arc 

(foratl  X  in  5  :  (exists  Y  in  S  st  XC2)  =  Y(l)  )  ) 


As  is  well  known*  this  condition  can  oe  tested  Py  an  algorithm 
I  i  r  e  a  r  ir  the  numoer  of  eajes  af  the  graph*  to  wit  topological,  sorting 
(c1.  L~  K  r  *  p.  253]).  If  directly  executed  the  specification  just 
written  is  exponential  in  the  numoer  of  edies  of  G.  However*  we  shall 
see  that  t>  transforming  this  soe c i f i cat i on  we  can  come  after  several 
stages  to  a  related  algorithm  that  is  linear  in  the  number  of  ecges  of 
C-j  bet  revertheless  quite  cifferert  from  the  topological  sort.  Scne  cf 
the  t  r  c  r  s  f  c  rm  a  t  i  on  steps  used  in  our  cerivation  are  examinee  from  a  itcre 
formal  point  of  view  in  LSh]. 

Ire  first  thing  thac  we  night  attempt  is  to  construct  3 
increnertally*  following  the  aooroach  described  in  section  2.  Using  the 
basic  subset  construction  scheme  given  there*  we  obtain 


\l  ERS  1C! 


s    :=    o  ; 

(while     (exists    X     in    3    st     (forall    1     in 
or    S    -    {}     ) 

I     '.-    arb*  ( G  -  3)5 
S  w  i  t  h  :  =  Z  ; 
e  rd  vh  i  le  i 


X(  2)  /-     Yd  )  )  ) 


This  fcrm  is  amenable  to  formal  cifterentiation.  Indeec*  let 
P(X.  S)   =   forall  Y  in  3  :  X(2)  /=  Y(l) 


E/lCEHGES 


{  X  in  S 


P(  >.  S)  } 


Then  note  that  adai  ng  Z  to  3  cannot  sea  new  elements  to  E^CECGES  (except 
that  I  itself  may  belong  to  3A0ECGES)*  oecause  if  U  beloncec  to  S  fcefcre 
accinc  Z  to  it  and  did  not  satisfy  P  then,  it  still  would  not  satisfy  P. 
Cr   the   ether   hand*   the  inserticr  cf  Z  into  S  coulc  eliminate  certain 
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Ecces  frcir  FACECGESj  as  P  ( X )  ce;cies  row  ;r  o  r  e  restrictive   than   b  e  1  c  r  e  • 
Thust  one  ootdins  the  f allow  in j  version 


V  :FS  I  C  ^ 


s  :-    {}; 
eacezges  :=  u; 

(while  exists  X  in  3AJEQ3E3  or  S  -  C>) 
2  '-    arti*  (G  -  S)'i 
£  with:=  Zi 
if  (  f  o  r  a  I  I  Y  in  3  :  Z(2)  /  =  Y(l)  )  then 

BAOEDGES  with:=  Zi 
enc  if? 

(foralL  U  in  cACE3G£3) 
if  W(2)  =  Z(l)  en en 

3ADEDGE3  less:-  mi 
ena  i  f  » 
«rc  fcrali; 
ena  whi  Le  ; 


f t  this  point?  we  would  like  to  restrict  the  nondetermiristic 
selection  of  Z  in  a  way  which  would  make  it  * produc t i v e » »  in  the  sense 
that  ace  ire  Z  to  S  will  make  EA0ECGE3  as  sirall  as  possible.  We  ncte 
that  this  set  can  ue  increased  by  Z  at  rcost»  so  that  we  woula  like  to 
oalance  this  change  oy  removing  at  Least  one  element  from  it.  This  can 
be  cere  ty  selecting  Z  such  that  X(2)  =  Z(l)t  for  then  X  is  certain  to 
be  renoved  from  8ADE33E3. 

CESEFWIICM  When  applying  a  t  r  a  r  s  1  c  rma  t  i  on  whose  effect  is  to  lisit 
the  search  space  in  a  manner  arrives  at  aroitrarily*  one  irust  show  that 
the  resulting  program  is  equivalent  to  the  previous  /ersion»  in  the 
serse  that  if  the  new  version  will  tail»  the  ole  versior  will  alsc  ha\e 
failed.  This  issue  is  noted  here»  but  is  not  elaooratec  Pelow  (see 
r  c  v«  e  \  €  r  CSh]  where  this  suoject  is  further  ciscussea  and  where  this 
trerMcriratior  is  formally  justified). 


This  will  produce  the  following 


v  £  F  S  IC!\  4 


s  :=  o ; 

eacecges  :=  o; 

(while  exists  X  in  5A3ECGE3  or  3  =  O) 
2  :  =    art)*  CW  in  3  -  S  st 

(if  X  /-  OH  then  W(l)  -    X(2)  else  true  end)}? 
S  with  :=  z; 
if  (forall  Y  in  S  :  Z(2)  /=  Y(l)  )  then 

BAOEDGES  with:=  Z\ 
end  if; 
(fcrali  W  in  BADEQGtS) 


FACE  17 


if  W<2)  =  Z(l)  then 

BAOEOGES  Less:=  Ui 
end  if; 
end  f oral  I ; 
ere  while; 


!\e  x  t  »  a  (nontrivial)  verification  step  will  prove  the  following 
facts: 

(a)  The  cardinality  of  E  /s  ZE  0  3  E3  is  C  the  first  time  the  loop  is  entered. 

(c)  Ir  the  first  iteration  of  the  loop  »  GACECGES  increases  cy  ere 
elemert*  cr  remains  the  same  (i.e.   empty). 

(c)  Ir  any  ether  iterat  icn>  dADECGEi  either  increases  Dy  ore  elemert  cr 
dees  net  increase*  and  at  the  same  time  decreases  cy  at  least  ore 
element  • 

(c)  Ls  z  ccrollary»  the  cardinality  of  8AQEDGE3  is  at  all  times  at  itcst 
one. 

These  facts  allow  us  to  eliminate  the  loop  (fcrall  U  in  tACECGES) 
and  replace  it  by  the  deletion  of  X  from  this  set.  Moreover*  we  can 
replace  references  to  3ACZC3E3  by  references  to  its  singleton  elenert. 
All  t  H  s  v.  i  I L  yield  the  following  version: 


VEFS  ICIV  5  : 


5  :=  O 
EACECGE 
(while 
Z  : 

S  w 
EAC 
if 

end 
ere  w  h  i 


:=  om; 

EACECGE  /=    CM  or  S  =  {}) 
-  arb*  {  W  in  G  -  S  st 
(if  3ACE0GE  /-    OM  then  W(l)  =  3ADECGE(2)  else  true  erc))i 

ith:  =  z; 

ECGE  :=  OM;     £  removing  it  from  the  set 
(fcrall  Y  in  S  :  Z(2)  /-  Y(l)  )  then 

3A0E0GZ  :=  z ; 

ir ; 
le  ; 


Next  we  simplify  the  romainirc  '  f or  a  I  I •  concition   by   transf crsirg 
it  i  r  I  c 


Z (2 )  not  in  {  Y(  1) 


Y  in 


arc    simplify     further    by    formally    cifferentiating    the    n  e  a    set      expressicn 
with     resoect    to    S.       This    gives    as    the    fallowing 


VERSION  €   : 


°*GE  18 


s  :-  o; 

E/JCECGE  :=  QM  ; 

pi\cces  :=  o ; 

(while  BACEDGE  /-  OM  or  S 

Z  :=  aro*  iii     in  G  -  S 

(if  BADEDGE  /=  OM 

£  w  i  t  h :  =  z ; 

pino  jes  «i  th:=  z(i) ; 

eacecge  :=  om; 

if  Z  (2  )  notin  P NO 013 

BADEDGE  :=  z; 
ere  if; 
ere  white; 


=  {}) 
s  t 

then  w(l)  =  EACECGE(2)  else  true  ere)}? 


t  h  er 


The  rext  simplification  step  is  to  prove  that  the  conciticr  *Z 
notin  S 1  in  the  selection  of  I  is  reaundantt  and  is  impliec  by  the  ether 
condition  Z(l)  =  EACECGE(2).  This  can  oe  done  by  noting  that  if  HI)  - 
E/JCECGE  (2  )  then  Z(l)  notin  PNCCES  (cy  the  way  5ACECGE  has  been 
computed);  i.e.  Z(l)  notin  if  (  1 )  :  Y  in  3>  i  so  that  Z  notii  S.  Thus 
S  is  ret  usee  at  all  during  the  I  c  c  p  »  (except  fcr  the  test  S  =  O  which 
is  relevant  only  for  the  first  iteration  through  the  loopt  and  can  be 
replaced  by  another  test)t  and  in  fact  is  not  used  at  all  (it  is 
s u 1 1 i < i e r t  to  know  whether  such  3r  S  exists).  Hence  we  can  eliminate  S 
from  the  program  altogether*  getting  the  better  version 


V  E  F J  ICN  1  : 


e/cecge  : =  om; 
fnoies  :=  o; 

(until  fiACECGE  =  OM) 

Z  :=  aro*  Cw  in  G  st 

(if  BADEDGE  /=  OM  then  w(l) 
PNODES  with:=  zu>; 
EACECGE  :=  OM ; 
if  Z(2)  notin  P NODES  then 

BADEDGE  :=  Z\ 
erd  if, 
ere  tntii; 


=  3ACECGE(2)  else  true  ere)}; 


hext»  we  •unroll1  the  loop  sc  as  to  seoarate  its  first  itercticr 
f  r  c  n  the  others.  Also*  since  the  ecges  themselves  are  net  maintairec  in 
Version  7i  but  only  their  end  points*  w?  can  substitute  [U»  V]  for  Z  ard 
ClEi  \EZ  fcr  eACEDGE.  (Note  that  we  adopt  the  convention  that  assicnirg 
OM  tc  a  oair  (such  as  C  UE »  VEJ)  mears  assigning  OM  to  each  comoonent.) 
This  gives 


7  E  R  S  I  C  M     8 


F  J  C-  E     IS 


c  l  e  i    j  e  ]    :  =  o  m  ; 
ppvOCLG    :=   o; 

Cli     V]     :=    arb*    Gi 

fp\cces   with:-   u ; 

if    V    notin    PNOOES    then 

cle,   v e ]    :-  c u i   y 3 ; 

ere     if; 

(white    CUE,     VE  J    /-    OM) 

CLi    V]    :=    arb*    CCU1» 

fi\cce3   witn:-  u; 

cle»    VEJ    :=   om; 

if  V  notin  PNOGES  then 

cue  ,  ve  J  :=  cu»  v  j; 

end  if", 
ere  while; 


VIZ  in  '3  st  Ul  =  V  E  >  J 


Ett  i1  we  change  the  tsst  in  the  while  loop  to  •  VE  /=  CM*  then  we 
see  that  IE  is  not  usee  at  all  ir  the  crojrami  furthermore*  U  then  is 
not  used  in  the  while  loop.  Th a s  selection  of  [Ui  \l  1  in  the  loop  can  be 
recucec  tc  a  selection  of  7.  Also  the  first  selection  of  CU»  V]  can  te 
broker  into  a  selection  of  J  (from  dorcain  G)  followed  by  a  selecticr  cf 
V  (from  Gil}).   After  sane  additicral  s  i  up  I  i  f  ic  a  t  i  ons  we  cet 


VERSION 


\e    :-  om; 
fncces  :=  Cl ; 

U     :=    arb*     joiidin     G? 
V     :=    arb*    GCU>; 
PNOCES    with  :  =    U  ; 
if    V    no t  in    PNOCES    then 

ve    :=   v ; 

end     if; 

(while    VE    /=    OM) 

V    :=    aro*    GCJE)  ; 

PNOCES    with:=    tfli 

ve    :=   om; 

if    V    notin    PNOCES 

VE    :=    v; 
eno    if? 
ere    while! 


th: 


Ett  trer  i1  we  rename  U  as  VE  (movir.c  the  first  assignment  tc  VE  cowr) 
we  rcte  that  the  coae  from  the  first  selection  of  V  is  icentical  tc  the 
code  within  the  loop.  We  can  then  »roll*  it  oack  into  the  loop  »  and  can 
atsc  eliirirate  the  assignment  of  CM  tc  VE  and  the  test  of  VE  in  the  leep 
header  by  roting  that  the  loop  will  terminate  iff  the  concition  ir  the 
if  statement  within  the  looo  is  false.   HI  this  will  prccuce 
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\i  ?FS  KN     1 


FNCCES    :=Oi 

It     :=    arb*    Comnn     3  ; 

(Loop    ao) 

\     :=    arb*    GCVE); 

fnoces  with:=   ve; 

if    'J    not  in    ?  NODES    then 

VE    :=    V  ; 
els- 
stop; 
ere    if; 
ere     I ooo ; 


1c  tMs  enc»  Let  us  assume  that  the  backtracking  impliec  by 
nonde termin is t i c  selection  is  rsade  explicit  in  our  prccrami  e.g.  fcy 
held  ire  backtrackea  quantities  on  £  stack.  Then  a  very  irterestinc  end 
cererel       transformation       oecomes       acplicaote.  A       short  cciring       of    raive 

backtracking  is  that  it  'does  not  learn  from  mistakes*!  namely  -  it  can 
net  explcit  information  due  to  the  fact  that  it  has  previously  failed 
clang  seme  path.  More  sophisticated  backtracking  Hill  use  certain  'nerco 
functions*!  to  record  whatever  useful  information  is  available  Irene  a 
fcilire  ( c  1  •  C  S  c  2  J  )  .  This  is  cuite  analogous  to  the  use  of  meno 
functions  to  ootimize  recursive  procedures  <cf.  CCo]  for  example).  The 
rrerrc  furctiens  used  in  oacktrackirc  shoulc  of  course  be  nonbac  k  t  r  z  c  ked 
<  c  c  r  r  esp  ore  ing  to  the  fact  that  nseno  functions  are  global  in  the  case  of 
recursion). 

Ir  cur  example*  a  natural  memo  variable  could  be  some  set  cf  ncces 
alreacy  visited*  A  sufficiently  powerful  verification  step  might  then 
prove    the    following 

CL/iIf1:  If  the  backtracking  mechanism  has  failed  to  find  a  cycle  frcrr  a 
node  VE»  then  it  could  not  oe  able  to  find  a  cycle  by  going  through  VE 
alcr,  c    a     Later    backtracking    oath. 


In  oth°r  words*  once  having  failed  to  find  a  loop  while  examining  a  node 
vEi  we  car  ace  it  to  our  'memo'  set  and  excluce  it  from  any  further  path 
tracirg.  Let  BACN00E3  denote  the  rrerro  set  just  describee.  Then  the 
prececing  computations  orini  us  tc  the  following  version!  which  uses 
E^CNCCES     tc    limit    the    search     (see       CCScl       for       the       explanation       of       the 


oack  track  in  j  orimitives  QK    ml    FAIL  used  in  this  version): 
\Efi  IC!\  11: 


FACE  21 


s  the  nonoackt  racked  memo  set 


sad  i\ cues   :=  o; 
fncces    :=   o; 

if  exists  VE  in  domain  3  st  VE  notin  3ADN00ES  and  OK  then 
(Loop  ao  ) 

if  exists  V  in  6C/E3  st  V  notin  SAC  NODES  arc  OK  then 
PNODES  with:=  V I ; 
if  V  notin  ^NOCES  then 

VE  :=  v  ; 
e  Ls  e 

s  top? 
end     i  f ; 
else  $    failure 

3ADN0CE3    with:=     VE5 

fail; 

ena  if; 
enc  loop ; 
else 

printC  total  failure  »)5 

stop; 

ere  if? 


This  version  is  already  linear  ir  the  number  of  eeyes  and  races   in 
the   graph   being   analyzed.    Nevertheless!  we 
aaditicral  backtracking  opt i miza t i crs  to  i  t »  in 
effort  cf  stacking  and  unstackinc  erv ironmen t s. 


will  still  want  to  apply 
order   to   minimize   the 


Cur  objective  is  to  stack  as  little  as  oossiole,  and  when  we  fail, 
tc  tree  tre  changes  of  the  vaUes  of  other  backtrackec  but  unstaekec 
variables  in  terms  of  the  stacked  variables. 

CESEF  W1  ICTv  :  Backtracking  optimizations  of  this  nature  are  aot  tc  play 
a  central  role  in  the  final  ahases  of  our  transformational  process.  It 
seems  plausible  that  automatic  methods  could  eliminate  most  cf  the 
effcrt  Irvclved  in  these  trans  for  me t i ons ,  thereoy  making  them  relatively 
painless  fcr  our  system  user.  (See  also  next  section  where  a  similar 
cpt  in  ize  t  icn  is  used  in  a  transformational  solution  of  the  eight  cueers 
prctleir.)  Fcr  a  discussion  of  such  possible  optimizations,  see  LSc2j. 


In  Version  11,  we  can  note  that  the  only  variable   chanced 
the   1irst   backtracking  point  and  the  second  one  is  VC,  sc  that 
need  be  saved.   Between  any   two   consecutive   arrivals   at   the 
backtracking   point,   the   variables  ceing  changed  are  V,  VE  anc 
VE  is  tsec  anc  then  redefined,  so  that  we  should  save   it.    How 
neeo   not   be   saved,   as   it  is  equal  to  the  current  value  of  V 
FNCCES  reec  net  be  savec,  as   it   is   mocified   only   incrementa 
aoaing   VE   to   it   (this  operation  is  reversible,  since  at  the 
insertion  VE  does  not   belong   tc   PNCDE3),   and   VE   will   be 
Finally   there   is   no   need   to  stack  the  (address  of  the)  back 
point,  as  we  can  determine  to  which  backtracking  point  to  branch 


between 

orly  VE 
second 

FNCCES. 
ever,  V 
E  J  also 
U>,  ty 
point  c  f 
st  ackec . 
t  r  ac  k  ing 

a  f ten  a 


PAI 


f  c  i 1 1 r  e    c  >    checking    whether    P  N  0  0  E  3     is    f>     (in    which    case    we    return     tc    the 
first    point)     or    not     (and    then    return     to    the    second    one). 

These  ccnsiaeraticns  Lead  us  tc  the  following  version  (in  which  set 
iterations  are  expanoea  jsin]  two  primitives  •zeroelrat*  to  initialize 
such  an  iteration*  ana  •nextelrat*  to  proceed  froii  a  given  element  tc  the 
r  e  »  t  ere!  this  is  cone  to  allow  us  to  oacktrack  into  a  point  within  the 
(ur expanded)     iteration    operation): 


VEFS  ICI\     n: 

e/:cncces    :=  o ; 
filches    :=   {>; 
stack    :=  r.3; 

CCfC  :  =  aoraa  i  n  G» 
\E  :=  zeroelmt(DOMG ) ; 
oacki:  (doing  VE  :=  ne  x te Ira t ( VE »  DCMG)5  while  VE  /=  OM) 
i-f  VE  notin  EACNOCES  ther 

goto  succ  eedl ; 
end  if? 
ere  ccing » 

p  r  irt(  ' total  failure*)  ; 
stop! 
succeed: 

stack  with:=  ve; 

(loop  do ) 

gve  :=  g{ue>; 

U  :=  zeroelrat  (GVE)  5 
oack2:     (doing  V  :-    nextelntftfi  GVE)?  while  V  /-  0  M ) 
i-f  V  notin  BADNOOES  then 

goto  succeed2 ; 
end  if; 
ere  doing; 
5  a     failure 

EACN0EE3  wi  th  :=  VE? 

v  :=  ve; 

WE  frome  STACK; 
PNOCES  less :=  VE» 

gue  :=  g<:ve>; 

if  PNODES  =  O  then 

goto  backi; 
else 

goto  back 2J 
€  r  o  if; 


succe  ec2 


stack  w i t h : =  ve; 

FNCCES  with:-  VE! 

if  V  notin  PNODES  then 

ve  :=  v; 

else 

stop; 
ere  if? 


p  n 


transforma  ticr.el 


eru  looc  ; 
i»e  take  this  as  our  final  destination  along  this 
C£th*  n  iG  interesting  to  rcte  that  this  version  is  essent i a i ~ly  sn 
exparcea  (and  optimized)  version  o1  a  aeoth-rirst  search  of  the  given 
jrcpl-.  It  is  noteworthy  that  the  above  sequence  of  t  rans  t  crraa  t  i  an  s  have 
teer  crcser  so  as  to  avoid  as  much  as  possible  use  of  'ingenious'  *teps 
in  which  the  next  version  is  obtained  ay  aoolying  a  rather  deep  and 
rcrccvicus  transformation  to  the  current  version.  If  such  steps  here 
incUcea  in  our  process,  we  could  obtain  the  topological  sort  frcu  cur 
original  specification  us  in  3  e.g.   the  approach  outlined  in  ZZ31* 

It  is  nevertheless  or  interest  tc  see  how  the  topological  scrt 
couLc  be  aerwea  oy  a  similar  sequence  of  transformations,  starting  with 
crcther  specification  prcvaoly  equivalent  to  our  oricinal  spec i f i c s t icr  . 
That  is,  we  orefer  to  shift  the  application  of  'clever'  t  rans  fomat  ions 
tc  the  specification  level,  so  that  a  consicerable  effort 
ccrrectress  of  the  topological  scrt  alooritho; 
turn  cur  attention  to  this  latter  problem. 


can    be 


in    provirc 
eliceo.       We 


the 
new 


Ccrsicer    the    following    saeeifi cation: 


as  suite    N    =    domain    G    *    range    GJ 
fine    Y     :    enumer  at  icn  CJ )       st 

( f orall    C  A,    B]     in    G     :     Y(A) 


<    Y(8) )  ) 


where    b>    enumeration    we    mean    a    ore-cre    map    from    N    onto    11 
car       tten       use       the    default    enumeraticn    constructin 
secticr    2,    to    obtain    a    first    executaale    version: 


..      U    N}.       ke 
sctieire    cescribec    in 


vEFSICA    1 : 


y    :=    {} ; 

(while  comain  f  /-    N  or  exists  CA,  3]  in  G  st  Y(A)  )  = 
X  :=  aro*  (N  -  doma  in  Y )  ; 
Y(X)  :=  #  Y  ♦  1;      $  (eveluatsc  r ight-to- lef t ) 

ere  while; 


Y(8)  ) 


ke  next  note  that  the  predicate  'exists  ...  '  is  icnotone,  i.e. 
if  1  ever  becomes  true  for  some  value  of  Y,  it  will  remain  true  when 
new  elements  are    added  to  y.   Hence,  to  avoid  immediate  failure  it 

kept   false   at  alt  times,  anc  consequently  move  it  (recatec) 
eno  cf  the  loop.   Then  we  formally  q i f f e rent i a te  it  as  follows: 


raust 
tc  the 


<  i  c  r  a  I  I  A  in  N  :  C  A  ,  XJ  in  G  inplies  Y  <  A  >  <  Y(X)  ) 
(forall  B  in  N  :  r_  x ,  3 1    in  C-  implies  Y(X)  <  Y(B)  ) 


anc 


/  very  important  principle  car  new  te  e  x  en-p  I  i  f  i  e  0.  In  this  case  we 
have  a  preocate  G(Y)  whose  full  rrearing  will  show  only  when  Y  is  fully 
generated.  To  be  aole  to  test  Q(Y)  also  for  partial  values  of  Y  we 
irterpret  it  by  ignoring  any  stbprecicate  involving  still  uncefirec 
compcrents  of  Y  (i.e.   interpreting  such   s ubpr ed icat es   as   being   0M>. 
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Hck.ev.eri  v.  h  e  n  we  formally  aiff^rsrtiate  such  a  predicate*  vie  might  wart 
bo  'Lcok  ahead'  and  consider  also  the  relation  of  the  newly  acced 
component  of  Y  to  ths  comoonents  of  Y  sti  11  to  be  adfiec.  In  several 
cases  (irclucing  our  exaitole)  it  way  ce  possible  to  simplify  the  cer  ivec 
predicate  by  using  general  properties  that  characterize  the  still 
nissirc    elements    of    Y. 

In    the    case    before    js»    we       car       split       the       nodes       in      N       intc  tvo 

classes*       those       in    aomain    Y»    and    these     (including    X)    still    cutsice  that 

ccirair.  Let  Y  •  denote  the  current  v  a  I  j  e  of  Y.  This  will  give  us  the 
p  red  ica  t e 

(tcrall    A     in    aomain    Y»     ;    L"  A  .     >]    in    G     implies    Y(A)    <     AY»    ♦    1) 

and 

(f  or3L  I     A    in    N    -    aomain     Y»     :    Lfl8    X  J    in     G    implies    Y(  A)    <    »Y  ♦     +    1) 

arc 

(forall  B  in  domain  Y'  :  [X.  31    in  G  implies  »Y»  ♦  1  <  Y(b)) 

and 

(Icratl    3     in    N    -    domain     f»     :    C  X  .    M     in    G     implies    3Y'    +    1    <     Y(E)) 


The     first    conjunct    simolifi?s    to     'trueS    since    for    such    A    we    have    always 
Y(A)       <       A  Y  '    -»    1«       The    second    conjurct    can    be    simplified*    fcy    noting    that 


Y(A)  <  fiY  •  ♦  1  is  always  false* 
simplify  the  third  conjunct*  we 
sc  that  we  have  L"  X »  31  notin  G. 
is  true  for  all  3  except  X* 
h t i c r  is  subsumed  by  th« 
precicate    thus    simplifies    to 


so    that    we    must    have    CA* 

ncte    that    HY»    ♦    1    <    Y(e> 

lr.    the  fourth  conjunct* 

so  that  it  simplifies  to 

simplified   seconc   conjunct. 


X]  notin  6.  To 
is  false  there* 
AY •  +  1  <  Y IE) 
CX*  XD  notin  G» 
The   ceri.ee 


(forall  A  in  N  -  domain  Y'  :  C  A  *  X]  notin  G)     anc 
(tcrall  B  in  domain  Y*  I    CX*  e  ]  notin  G) 

Hence*  we  were  able  to  deduce  a  property  that  X  must  satisfy  in  relation 
tc  rcces  ret  yet  selectee  (the  nodes  A  above)*  even  though  their  Y  value 
is  still  urdefined  at  this  point.   All  this  gives 


\ztZ  ICN  2  : 


y  :  =  o  ; 

(hhile  coma  in  Y  / -    N) 

X  :=  aro*  CW  in  N  -  domain  Y  st 

(forall  A  i  n  N  -  dcrra  in  Y  : 

(forall  3  in  domain  Y  :  CVJ* 

Y(X)  :-  »  y  ♦  i; 

e  r.d  while* 


C  A,  U  ]  not  in  G> 
8]  notin  G  > }  5 


anc 


We  can  continue  to  simplify  as  follows:  Another  general  rule  of 
trLnfc  is  tc  try  to  isolate  the  ctject  currently  being  selected  in  the 
predicate  that  governs  this  selecticn.  In  our  case  we  wish  to  isolate 
V.   To  do  this*  we  try  to  transform  the  » forall  A«  conjunct  into 
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U  net  in  <  •►  /  {.3-CA}  :  A  in  U  -  a o ma  in  Y}) 
but  a  further  look  at  the  resulting  predicate:  will  show  that  it  gains  us 
rcthirc,   tecause   the  sec  expression  appearing  there  is  ret  amenable  to 
fcrrral  c  i  f  f  eren  t  ia  t  i  on.   A  oetter  way  would  oe  to  transform  it  into 

(tcrall  A  in  N  -  domain  Y  :  J  notin  G-l{i,>  ) 
and  then  to 

G-l{'«}  subset  domain  Y 

which  is  ir  a  much  better  snape  far  Icrmal  d  i  f  f  er  ent  i  a  t  i  on  .   The   seccr.d 
•fcrall'  ccrjunct  presents  no  protleiis»  anc  we  can  transform  it  intc 

w  notin  (+  /  (G-UE)  :  3  in  domain  Y}) 

We  have  thus  obtained 

VERSION     2". 

1    :-    {} ; 

(while    do ma  in    Y    /-    N) 

X    :=   ara*    {^    in    N   -    dorcair    Y    st 

U    notin     (  ♦/    {G-1C3}     :    B    in    aoma in    Y})     anc 
J     in    CA     in    !\|    :     3-1CA}    suoset    domain    Y>>; 

y (x )  :=  n   y  +  i ; 
ere  while? 


ISext  we  apply  formal  differentiation  to  ooth  set  expressions 
appearing  in  the  predicate  aoove.  Call  the  first  set  PREVS  arc  the 
secoro  set  NOPRECS.  PREVS  is  easy  to  differentiate?  NOPRECS  is 
scrrewhat  trickier:  when  increasing  the  domain  of  Y  by  X»  no  el  clients 
need  fce  deleted  from  MOPREOSi  ana  the  only  elements  that  can  be  added  to 
it  are  those  A  for  which  A  in  G{X>.  This  observation  yielcs  the 
fc I  lew  Ire 


V  E  P  S  I  C  IS  <>, 


y  :-  c>; 

presjS  -.-   {>; 

fSCFFECS  :=  {A 

(while  aomain 

>  : =  arb* 

W  notin  PREVS 

Y(X)  :=  **y  +  i; 

FREVS    ♦  :  =    G-ICX}? 
NCPRECS     *:-    -C  A     in 
end    while? 


in     N     I    G-ltA}     = 
Y     /=    N) 


•CW    in    N 


-    don  a  i  r 

and     '.,     ir 


G«} 


o>; 

Y    s  t 

NOPRi 


:s> 


1CA}    subset    domain    Y}; 


P  /  C-  E  2  6 


Next  we  can  prove  thit  at  the  point  of  selection  of  X*  PREV3  subset 
ccusir  Y,  sc  that  the  test  "V  not  in  PREVS*  is  recur.dant,  arc  can 
therefore  be  3  I  i  m  in  a  t  ed  .  This  will  irake  PREVS  ceaa»  so  that  we  can 
eliminate  it  altogether. 


Then  we  cetine  a  new  set  NEwNCFREDS  as  NOPREDS  -  corrain  Y  (this  is 
the  set  from  which  X  is  selected).  The  next  step  is  to  formally 
c i t f e r ert ia ts  NEUNOPREOS.  To    do  this,  we  have  to  change  the  condition 


into 


G-KJJ    subset    domain    f 

*     {  k     in    G-lCA}     :     w    notin    Jcrrain    Y>     -    3 


Let  us  define*  for  each  A  in  N*  this  expression  as 
calls  fcr  the  formal  di f f er in t i a t i cr  cf  NUMPREOS ( A ) 
this    will    produce    the    following 


NUMPREDS(A).  This 

for    a  I  I    A    in     N  .       All 


'4  E  F  S  1  C  l\ 


y    :-   o; 
mpffecs    :=  Oi 

(  f  c  r a  1 1    A    in    N ) 
NUMPRED3C A) 

ere    Icrall? 

ISEwlSCFRECS     := 

(while  do main 
>  :=  arb* 
(forall    A 


:=   s  g-ica}  ; 


ere 


C  A     in    N 
Y     /=     N> 
NEUNOPREOSJ 
in     GIX}) 
NUHPREDS(  A)    -:=    1, 

er.  c    fcrali; 

NEWNOPREDS     +Z=     CA     in    3 

r\EUN0PRED3    le  ss :=    X ; 

while? 


N'JPFRECSC  A)     =     0> 


IX}  :  rjUHPREOS(A)  =  3> 


f\ext  we  want  to  remove  the  nordeternini 
This   car   be   cone   by   oroving  that  any  se 
graph  does  not  contain  a  cycle.   Then  we  can 
narrer   giving   what   is  essentially  Knuth*s 
It  is  interesting  to  note  that  our  terminati 
is   ciflerent   from   the  one  usee  ir  the  sta 
•while  r^EwNCPREDS  /=  Of>.   Our  test  causes 
there   are   cycles)   during   selection   from 
stcPCcrc  test  avoids  such  a  failure,  but  an 
exit   is   then   neeced*   to   test   whether 
oifference  between  these  two   versions   is 
executec  ir  a  cifferent  orcer. 


sm  in  the   selection   c<   X. 

lection  will  succeed  iff  the 

select  X  in  a  deterministic 

topological  scrt  algorithm. 

on  test  for  the   while   leep 

ncarc  topological  sort  (i.e. 

the   program   to   fail   (if 

an       empty  NEUNOPREQSi*   the 

acditionat  test  at  che   leep 

domain   Y   /=   N.   Hence  the 

that   these   two   tests   are 


A  gratifying  by-oroducc  of  our  transformational  process  is  that  it 
inplies  easily  that  our  final  prog-rare  can  compute  all  possible 
topological  sorted  ordering  of  N.  This  is  because  the  oriciral 
specification   had   that   prooerty,   and   the   search  space  has  not  been 
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prurec  a  lcn(j  cur  transformational  process  (exceot  for  the  conversicr   cf 
nonce  t°  rm  inis  t  i  c  selection  To  a  det  ermi  n  i  st  i  c  jut  arbitrary  one). 


ANOTHER  EXAMPLE 


THL  EI3HT  GUIENS  PKCh-iLEM 


In  this  section  we  describe  a  possible  t rans form  at ional 
ccrstructicn  of  a  program  solvere  the  eight  queens  prcblem  frcn  its 
ocvicts  •  spec i f icat ion' t  resulting  in  a  variart  of  girth's  algorithm  as 
appears  in  CWij*.  A;  in  the  previous  section,  the  transformations  have 
ceer  cheser  in  a  manner  which  we  hope  will  be  amenacle  tc  a  larce  cecree 
cf  ne  chan  izat  ion  (or  at  least  formalization).  General  consents 
projecting  from  the  experience  with  this  proolem  towarc  the  luture 
cesicr  cf  a  transformational  system  are  notea  as  'observations'  clcng 
the  way . 


\i  £  F  S  I  C  N  1 :   (informal  specif  icaticr)  Flace  3 
that  ro  two  queens  can  attack  each  ether. 


cueens  on  an  8x8    boarc  such 


In  this  informal  initial   vers 
fcrmal   definitions,  such  as  '3x8    b 
other*.   There  is  also  one  fundamen 
cueers'   ueen?    It   might   mean: 
onjects  ('cueens')  to  the  set  of  be 
feet   that   these  cueens  ars     inoist 
fact  that  ro  two  cueens  can  occupy 
that   the   aoove   request  m i  in t   a 
pesiticrs.   The  second  request  is  it 
not   i repose   order   among   the   cue 
sense  that  it  limits  the  search  spa 
cf   the   prcblem,   as   this   will 
norde term  in  is t i c  selection  to  a  det 
trer.  sfcrrr.  aticral  process. 


ior   several 
card'  and  't 
tal  design  i 
f  ind   a  map 
arc  oosition 
i  ncu  i  s  hab I e 
the  same  ooa 
Iso   mean  : 
ere  general 
ens,  Put  is 
ce.   We  will 


t  c 


irake 
sprain istic 


ea 


cone 
wo  cue 
s sue  : 

from 
s  * 

from    o 
re       po 

find 
in    t  he 
also    m 

c ons  i 
s  i  er 
select 


epts       requ  i 
ens    can    att 

Una  t  coes 
a  set  of  8 
owe ve  r  ,  us 
ne  another, 
siticr,  we 
a  set  of 
sense  that 
ore  speci  i i 
cer  the  sec 
f  cr  us  t  c 
i  on       la  ter 


re       it  c  re 

a  c  k    each 

•place    8 

abstract 

i  ng       the 

arc    the 

cecLce 

8    board 

it    cces 

c     in    the 

one    f  c  rra 

convert 

i  n       the 


VERSION     2: 
posi  tiers, 
relation    cr 
at    position 


(formal    specification):       Let    8 
i.e.  D       =       N       x    N ,     whe  re    M    = 

E    such     that     forall    X*     Y     in    3     : 
X    can    attack    position    Y.       I.e. 


denote    the    set    cf       all       beard 

<1    ...       d>.      let    ATT    cencte    a 

ATT(X,    Y)    means    that     a    cueen 


where 
kter« 


MT  (>  , 

MT/SCK     = 


Y  )     -       X    -     Y 


ATTACKC 


in    ATTACK 
ATTACKR     ♦ 


ATTACKR  =  CCm  -  n,  3]  :  m  in 
MT/CKC  =  -CCO,  m  -  nJ  :  m  ir 
MT/CKUC  -  CCm  -  n,  m  -  n]  : 
ATTACKDO    =     CCm    -    n,    n    -    mj     : 


JTTACKUC    +     £TTACKCD 

N,    n     in  ?J  }  (attack     irrow) 

f^  »    n     in  N}  (in    column) 

it     in    N  i  n     in  ,N  }       (in    up    ciagonal) 

m    in    N »  n     in  N >       (in    cown    diagonal) 


?nt  2s 


Then 


tine    S     :    suusiC     ,3    3 
f    3    =    8       and 
<  f  o  r  a  I  I    Y     in    S, 


1  n 


f  /-  Z  Implies  not  ATT(Y»  Z>) 


assume  thai  our  system   has   already   oeen   given   see 
general  klnd  which  is  relevant  to  so*e  oAne  for 
the  i    queers  prcolem,  i.e.   that  it 


CESEF\MIC\:   w 

'education'   of 
structural  features 

can    recognize  X  -  r  in  hh,»  i,finin,„  „  *  «  ,-r  -    *  aLso  tret  it 

some   feeling   ror   the  classes  of  very  high  "level  tC   '"" 

iiktl)  tc  te  cf  'a  r  o  a  o  utility. 


program  ma  ni  pu  la  t  i  c  r  s 


Cur  first  transformation  uses 
ci\.er  ir  section  2  tc  convert 
executctle  form  : 


the 


oasic    suoset    construction       scheme 
the    above    version    into    the    following 


VEFS 1CI\    3 : 


s    :=   {>; 

(while    U    S    <    8    or 

exists  Y  in  3, 
x  :-  aro*  (p  -  3); 
s   h  i  t  h :  =   x ; 

end    while; 


I     in    S     st    Y     /=    Z    and     ATTCY,     Z)  ) 


contra   n%    VSZV^T^It h%*'1"' .  »<    !->'»    fact    car.e^^^M 

vfrsi(r:  Ctl°n       of       X«         rhis       "lll       yield       the      following 


VERSION  4: 

Let  E,  N,  ATT  etc.  bs  defir.ee  as  accve. 

S    :-    {}; 

<while     8    S    <    8) 

>    :=    arc*    {«    in    3    -    S    st 

y    /=    kJ    implies    not     ^TMU,    <J)    and 
(forall    Y     in    S     : 

W    /=    Y    implies    net    ATT(Wt    Y)    a  no 
Y    /-    U    implies    ret    ;TT(Y,    wl )     )}; 

s   with:=   x ; 
era    whi  le? 


PAGE  29 


an  however  be  simplified  ty  noting  that  U  /=  U  is   a  se,  arfl 
_cnYh°and   r   /=   -   «ill  always  be  true,   also  we  utilize  the 

]lntiry     cf  the  relational,  to  eliminate   one   appearance   of   ATT 

versicr  4.   We  thus  obtain 


This  c 
that   U   /= 


in 


ufsuh  s: 

Same  definitions  as  anove 

s  :  -  { } ; 

(white  8  S  <  8 ) 

X  :=  arb*  C.J  in  E  -  S  st  (fcr3tl  Y  in  o 

«  w  i  t  h :  =  x ; 

end  while  J 


not  AlTCUi  Y  )  )}  ! 


,t  k€  sttstitute  (another  trans fcrmati on)  the   cetinition   o 


f   ATT   to 


is  e 
transform 


r  c 


t  /  T  T  ( 'A  »  Y  > 


i  r  t  c 


»  -  Y  not  in  ATTACK 

ere    t>    a     further    substitution    into 

fc     -     Y     nctin     (ATTACKS     ♦     ATTACKC     ♦     ATTACKliC     ♦     ATTACKCC) 

n^FRV/ATTON-       It    is    useful    to    oreak  a    definition    (such    as    that       of       ATT) 

RU  ;t    '^definitions,       sc  that       they    can    be    applied    .epar       Ij. 

allcvirc    control    over    the    degree    cf  expansion    C »unfo Icing •    if    you       will) 

ourinc    substitution. 

r^ext    apply    a    set -t heore t ic     rule    cf    the     form 
2    notin     (A    +    BJ       =       Z    notin    A    and    Z    notin    B 
arc    asscc ie t iv i  ty    of    set    union    to    cctain 


\j  E  F  S  ICN     f. : 


s    :  =    { )  ; 

(hh  ile    8    S    <    8) 

X    '.-    aro*    («    in    8    •    3    sc 
<  f ora  U    y    in    o     : 

g-Y    notin    ATTACKR    and 
W-Y    notin     ATTACKC    and 
W-Y    notin     ATTACKlC     and 
U-Y     notin    ATTACKCC     )>! 

s  w  i  t  h  :  -  x ; 

ere    khilei 


pace    :  0 


Nt  )  t    substitute    3     -    N    x        M.  /r       interesting       transfer  ma  tion       then 

ceccnes  a^licable,  namely  -  nonoctsririnijtic  selection  of  an  eletert  cf 
a  cartesi  3n  orooiict  A  x  3  is  equivalent  to  a  nondet  ermin  i  s  ti  c  selection 
cf  the  first  component  t  r  j  m  A  fcllcweJ  cy  a  nonceteruir,  istic  selecticn 
or        the       second       component  from  E«  In  conjunctior  with  this 

transformation,  we  also  suostitute  CXC,  X~>1  for  X  and  CYC,  YR]  1cr  Y. 
These       sutstitutions,       unlike       substitutions       of       definitions,  require 

ver if ica t icn  of  their  enaDling  conditions,  which  state  that  X  ana  Y 
s  h  c  u  I  c     have     'cata    types'    which    p  e  r  it  i  t    such    su  as  t  i  tu  t  i  ons. 

C  5S  ER  v  AT  I  CM  :  Our  system  will  then  have  to  maintain  soie  kind  of  t>qe 
information  concerning  the  variables  acpearinc  in  the  prograu  teirg 
ccrstrtctec.  This  should  general  l>  oe  much  simpler  to  cc  as  ccacareti 
e.g.  to       the       t/pe       analysis    currently    used    in    the    3ETL    optimizer    (cf. 

Clel),     escscially    when    the    initial    specification    is    control-free. 

Applying    also    the    definition    of    vectcr    suotraction    we    ootain 


VEFS  IC!\    7 


S    :=    O 
( v.  h  i  I  e 
XC 


n   3   <   8) 
:=   aro*   n; 

XR     :=    aro  *    C.J,?    in     N    st    CXC,    wRJ 
( f ora  11    L1C  ,     t*R]    in    S    : 
C  XC-YC.     WR- YR  ]     not  in 


ere 


S    with 
while! 


no  t  i  n    3    anc 


C  XC-YC  ,  WR-YR  Z  not  in 
CXC-YC,  «JR-YRZ  rotin 
[  XC-YC  ,     iJR-YR  j    not  in 

=  exc,   xr]; 


ATTACKR    ana 
ATTACKC    anc 
AITACKUD     3rd 
ATTACKOD     )  >  J 


r\e*t,    substitute    the    definition    of    ATTACKR,    ATTACK C    etc.         Consicer 
MTACHR     tor    example.      We    get 

CXC-YC,     UR-YR]    notin    CEm    -    r,     0]    :     id    in    N,    n     in    N> 

which,    after    application    of    a    few    rules    will    get    transformed    into 

WF     /:     YP 

Similar    inequalities    can    be    obtainec     from    the    other    suorelations.       Herce 
we    c  t  t a  in 

\i  ehs  icn   e: 


s    :-    o  ; 

(while     S    S    <    8) 

>  C     :=    am  *    N  ; 

XR    :=    aro*    CAR     in    N    st    CXC,     WR]    notin    3    and 


P*GE  31 


S  with: 
era  w  ni  le  ; 


(forall  CYC,  Y  F  I  in  S  : 

AP    /-    VR    and  XC  /-     YC  ana 

XC-YC    /-    AR-VR    an-t     XC-YC    /=    -('JR-YRJ     )>; 

=  cxc,    xr:; 


^  C 1 E  :       ft     this    point*    6,    ATTACKR,     MTACKC      etc.  oecorae       cead       anc       can 

therefore    be    3 L i m ina ted . 

i\  e » t    i  s  e     the    rule 


{  f  o  r  a  1 1    2    in    S    :     P  ( Z )     a  n  j     J  ( Z  )  )       - 
Itcrcll    Z     in    S    :     F(Z))     and     (Icrall    Z     in    S 


G(Z)) 


A    net  in    {F(Z)     :    Z    ir    S  } 


anc    the    rule 

Hcrcll    Z     in    S    :     J    /:    F(Z))        - 

crc     He     rile 

A-8/-C-C  =  A-C/=c-C 

arc    sircilar    rules    concerning    addition*    to    change    the    precicate    appearirg 
in    the     last    version    to 

.F     rctin    {YP     :    CYC,    YR]    in    S)  and 

XC    rctin    CYC     :    CYC,    YRJ     in    C)  and 

WR-XC    not  in    CYR-YC    '    CYC.    ml  in    3}    an3 

,  P  +  >  C    nctin    € Y R  +  Y C    :    CYC,     YRZ  ir    3} 

At    this    moment    we    can    jet    rid    of     the    test    CXC.    tfRj"    notin       S 
that     this     is    impliec    by    either    of    the    precicates 


oy       prov mg 


WR     nctin     CYR     :     CYC.     YRJ     in    3} 

cr    t  r  e    seccne    one. 

r^o*  we  are  in  a  position  to  apply  formal  Differentiation  tc  the 
sets  appearing  aoove.  Callinc  these  sets  EAC,R»  EACC,  E^CUD  anc  E/iCCO 
respectively,  we  obtain  the  follcwirc 


V  E  F  S  1  C  l\  5  : 


s  :=    o; 

i/cc  :=  eadr  :=  bacuc  :=  aaccc  :=  {>; 

(while  n    S  <  a ) 
XC  1=    aro*  m; 

XR  :=  aro*  CUR  in  N  st 

XC  notin  JAGC  arc  W  R  nctin  S  A  3  R  ono 
WR-XC  notin  3A010  and  WR  +  XC  notin  EACDO? 
S  with:-  CXC ,  XR ]; 

E  /ice  with  :-  xc ; 
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E  A  L  R  with 
E  0  C 1 0  with 
BAD  DO  with 
enc  whi  Le  J 


:  XR  i 

:=  xc-xr; 
:=  xoxr; 


Next  perfom  coje  motion)  nouinj  the  code  independent  of  XR  to  the 
pcirt  telcre  the  selection  jt  XS.  Also*  formally  differentiate  fi  S 
appearing  in  the  while  clause*  to  ootain  a  fragment  which  has  the  fcrri 


ns  :  =  c; 

(while    i\s    <    8) 
ivs   *:=    i; 
>C     :=    aro*    CWC    in 
FAJC    xith:-    XC, 

block (xo  ; 

ere    while! 


N  st  UC  notin  BADOi 


Then  a  very  interesting  t  ran  s  forraat  i  on  oecomes  apolicaDle.  This 
trarslcrrratior  eliminates  the  rcrceterminism  in  the  choice  of  X  C  •  In 
general*  if  one  has  tne  pattern 

K  :=  {}; 

derail  ITERATOR) 

x  :-  arb*  (A  -  K) ; 

K  with:=  x; 

ELCCK(X) ; 
enc  ; 

where  the  ITERATOR'S  variable(s)  cc  ret  appear  in  the  leep  except  to 
mocify  themselves*  and  where*  for  any  two  values  XI*  X2  of  X  chosen  in 
succession*  we  have  the  property  that  the  effect  of  executinc  BLCCKOl) 
1cllcv.ee  ty  nL0CK(X2)  is  the  same  as  the  effect  of  executing  t5LCCK<X£) 
followed  by  liLOCK(Xl)*  and  if  the  numoer  of  times  the  laop  is  executed 
is  ectcl  tc  1  A  then  the  above  pattern  can  be  transformec  into 

( f ora  I  I  X  in  A) 

ELCCK(X); 
ere! 


That     is*     the    X»s 
crce*       anc       the 
Ac 
ch 


chosen    ars    all     the    elements    of    A,    each      chosen       exactly 
oraer       in      which       they       are       selected    is    ret    inpertart. 

far 


ij.ci  c  ii  i  Lne  oruer  in  w  n  i  c  n  i  n  d  y  dre  seiectea  is  rci  m^tr  ui  u 
cmittedly*  this  is  the  toughest  transformation  applied  so  far  in  our 
hair*  arc  is  one  which  requires  a  lot  of  verification  concerning  its 
rati  ire  renditions.  We  would  like  very  much  to  see  a  cleaner  way  cf 
lirriratinc  this  no n determinism. 


elirriratinc  this  nondet  ermini  sm  • 

V  e  thus  come  to  the  folloHinc 
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o; 


s  : 

e  tcz    '.- 

(fcrill 
XR 


ere 


eaoud  :=  eaccd  :=  n; 

X C  in  N  ) 

=  arb*  {WR  in  M  st 
WR  notin  9  A  OR  and  UP- 
WR+XC  not  in  EAOCO}  J 

s  with:-  cxRt  xcj; 
EADC  with  :=  xc; 
Eacuo  with:-  Xfi-XCi 
dACDD  «ith:=  XR+XCJ 
1cral  t  5 


>C  not  in  R ADUD  anc 


Ve  are  now  almost  at  our  final  version.  The  last  iiajcr 
t r ans  1c x mc t ion  still  to  be  tacklac  involves  oacktracking  optimization  cf 
the  scrt  mentioned  in  the  oreviou:  section.  More  precisely*  we  would 
like  tc  rr  £  k  e  the  baoctracKin^  (  i  u  p  I  i  e  c  oy  the  nondeterministic  selecticn 
c1  X F >  explicit*  ana  optimize  the  e r v ironmen t-sa v i ng  mechanism  by  savirg 
as  few  objects  as  oossisle,  and  maintaining  other  oojects  (which  also 
rr  a  >  rave  tc  be  saved  oy  cefault)  ir  terms  cf  the  savec  objects.  Tc  this 
enc  we  can  proceed  as  follows: 

Sirce  XR  is  the  variable  chesen  noncetermi n i st i ca 1 1 y ,  it  (cr» 
rather,  a  pointer  to  its  position  in  M)  *  i  1 1  have  to  oe  saved.  Ue  then 
note  that  when  backtracking  to  a  previojsly  saved  environment*  the  only 
chances  that  took  place  -since  that  save  are  to  XC*  S,  8A0R  ,  E£CIC» 
BACDC,  and  all  of  these  changes  are  ircreraental  and  can  be  reversec  also 
in  an  ire  reirenta  I  fashion.  (This  is  true  if  one  assunes  that  the  linear 
crcer  cf  iteration  through  N  will  be  usee.  Also*  the  inverse  operaticn 
of*  say,  »8ADR  Hith:=  XR'  i s  »3ADR  less:=  XR*  only  because  at  the  point 
cf  irserticn  XR  did  not  belong  tc  EflCR  (which  can  be  vtrifiec).)  All 
this  will  procuce 


\.  E  F  S  I  C  l\  1  j : 


s  :=  o; 

STACK  :=  c 1i 

e;cc  :=  badud  :-   baco2  :=  o; 
xc  :=  o; 

(ccirc  XC  +:=  U  while  XC  <:  8) 

>h  :=  o  ; 
oack :     xr  +:=  i; 

if  XR  >  8  then     S  failure 

if  STACK  =  12    then     t    total  failure 
print  ('no  solution'); 
stop; 
end  if; 
XR  frome  STACK; 

xc  -:=  i; 

S  less::  exc,  xrj; 

EAOR  lessU  xr; 
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e  Is 
€  Is 


era 


baoud   i ?ss  :-   x^-x : ; 

BADDO    Less::    XR+XCi 
goto    0  3  c  k  ; 
e i f    XR     in    EADR    or    XK-XC     in    BAOUD    or    XR*XC    in    BAD3D    then 
got  o    back; 

e 

stack   nith:=  xr; 

5    wi  th  :-    CXCt    XR]  ; 
BA'JR    with:-    xr; 
3ADU0    -*  i  t  h:  =    xr-xc; 
6AD00     with::    aa+XCJ 

if; 


endi 


The  r  e  x  t  thing  that  we  can  cc  is  to  rote  tnat  S  is  not  usea  at  all 
in  the  Loop  (exceot  for  nodifyin^  itself).  We  can  prove  that  at  exit 
1  r  c  it  the  Iccp  one  has 

S  =  (  CI.  STACK(I):  :  I  in  CI. ..3]} 


arc    ccrsectently    compute    S    this    way    ax.    exit    from    the     Loop, 
versicr    would    be    quite    close    to    Wirth's    algorithm. 


This 


f  iral 


£  CKISCH  ECGc^EM.       My    thanks    are    given    to    Jack    Schwartz    arc    Ed      Schcrcerg 
fcr     reviewing    this    pacer. 
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